For years, the Information Commissioner’s Office (ICO) has been clear about the importance of protecting personal data, holding organisations and individuals to account for breaches under data protection law. However, a recent case has highlighted the potentially severe consequences for those who unlawfully access personal data – including the very real prospect of imprisonment.

In a landmark move, the ICO prosecuted Rizwan Manjra, a former motor insurance employee, under the Computer Misuse Act 1990 (CMA). Manjra, who held a senior role at Markerstudy Insurance Services Limited (MISL) in Manchester, was found guilty of unlawfully accessing over 32,000 insurance policies, many of which had no connection to his job responsibilities. He accessed these records outside of work hours and passed personal data to an unknown third party via mobile phone.

The investigation revealed systematic and deliberate misuse of personal data. Following an internal investigation by MISL and a search of Manjra’s home, it became clear that his actions violated not only his employer’s trust but also the privacy of thousands of individuals.

Manjra was found guilty at Manchester Crown Court of unlawfully accessing 160 insurance claims, many of which were outside his job remit. Of the 160 claims, 147 were unrelated to his team’s responsibilities, and no legitimate reason could be provided for his access.

Manjra was discovered to have sent files containing personal details, including names, vehicle registrations, and accident information, to a contact identified as “Paddy Coco.” Messages found on his phone revealed an ongoing exchange, with “Paddy Coco” encouraging him to “keep them coming.” These actions were part of a deliberate and systematic breach of trust, with the data likely used for claims farming purposes.

When the ICO became aware of the data breach, Manjra attended an informal investigation meeting over the phone in which he claimed he sometimes accessed the systems on a Sunday evening to save time on a Monday morning. He suggested he had not shared the data without consent. A disciplinary meeting was then set up, but Manjra failed to attend and a warrant to search his property was issued. Investigators found several mobile phones and a laptop which had been used to send the information. 

Manjra did not receive any financial contribution for his criminal activity, his defense team said in court. Instead, the behaviour was “in exchange for debt owed by him to others,” his solicitor Hope Nelson said. Manjra’s actions were a result of pressure placed upon him by loan sharks who had made threats to damage his property. Worryingly for businesses and data protection officers, however, is the admission from Manjra’s defense team that he was a “cog in a machine.” This suggests a highly organised criminal network which understand the value of personal data, and is willing to do just about anything to get their hands on it.

On 11 December 2024, Manjra was sentenced at Manchester Crown Court to six months in prison, suspended for two years, and ordered to complete 150 hours of unpaid work. 

This case is a significant moment for the ICO and expanding its remit in enforcement, including where criminal charges may need to be brought. Traditionally, its focus has been on enforcement actions under the Data Protection Act, with fines and regulatory notices being the usual tools of accountability. Yet when personal data misuse crosses into criminality under the CMA, the ICO will not hesitate to pursue prosecution.

Andy Curry, Interim Director of Enforcement and Investigations at the ICO, said:
“Manjra abused the trust his employer placed in him and sought to use their customers’ personal information for his own ends. We will take action to protect UK businesses and members of the public from threats to their personal information. Today’s outcome should send a strong deterrent message to others who may contemplate accessing information which they don’t have a right to look at.”

The significance of this prosecution reinforces that data protection is not just a regulatory issue but a matter of criminal law when individuals misuse systems to access data unlawfully.

A warning for employees and organisations

This case serves as a warning to anyone with access to personal data: unauthorised access and misuse could result in criminal charges, imprisonment, or both. Employees must understand that their access to data is a privilege, granted solely for the purpose of performing their job. Abusing this access not only jeopardises their career but also carries severe legal consequences.

For organisations, this case highlights the importance of monitoring internal systems to detect unusual or suspicious activity. Employers must ensure robust controls are in place, including logging and auditing access to sensitive information, to prevent misuse and protect customer data.

While not every misuse of personal data will fall under the CMA, this case underscores that where criminality exists, the ICO is prepared to act decisively. In an age where personal information is increasingly vulnerable, both individuals and organisations must take their responsibilities seriously – or face the consequences.

Unlawfully accessing personal data is not a harmless act; it is a criminal offence that can result in life-changing penalties. Let this be a reminder to all: data protection laws exist for a reason, and those who breach them may find themselves standing before a judge.

Join our free webinar AI and GDPR Compliance in 2025 – What you need to know for the year ahead

Join our free, 1-hour webinar on Tuesday 14 January at midday UK time. Gain actionable insights into how to stay compliant, protect sensitive data, and build trust with customers in an increasingly complex regulatory environment.